CVE-2026-25737
📋 TL;DR
Budibase versions 3.24.0 and earlier have an arbitrary file upload vulnerability where file extension restrictions are only enforced at the UI level, allowing attackers to bypass restrictions and upload malicious files. This affects all Budibase deployments using vulnerable versions, potentially compromising the server and connected systems.
💻 Affected Systems
- Budibase
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data exfiltration, and lateral movement within the network.
Likely Case
Malicious file upload leading to web shell deployment, data manipulation, or denial of service attacks.
If Mitigated
Limited impact with proper network segmentation and file validation, though risk remains for exposed instances.
🎯 Exploit Status
Exploitation requires access to file upload functionality but doesn't require bypassing authentication if already authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.24.1 or later
Vendor Advisory: https://github.com/Budibase/budibase/security/advisories/GHSA-2hfr-343j-863r
Restart Required: Yes
Instructions:
1. Update Budibase to version 3.24.1 or later. 2. Restart the Budibase service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable file upload functionality
allTemporarily disable all file upload features in Budibase configuration
Edit Budibase configuration to remove or disable file upload endpoints
Implement WAF rules
allAdd web application firewall rules to block malicious file upload attempts
Configure WAF to block requests with suspicious file extensions or content
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Budibase instances
- Deploy additional file validation at reverse proxy or load balancer level
🔍 How to Verify
Check if Vulnerable:
Check Budibase version via admin interface or configuration files. If version is 3.24.0 or earlier, system is vulnerable.Check Version:
Check Budibase admin panel or run 'npm list budibase' if using npm installationVerify Fix Applied:
Verify Budibase version is 3.24.1 or later and test file upload functionality with restricted extensions.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload attempts with bypassed extensions
- Multiple failed upload attempts followed by successful upload
- Uploads of executable files or scripts
Network Indicators:
- HTTP POST requests to upload endpoints with unusual file extensions
- Large file uploads to Budibase endpoints
SIEM Query:
source="budibase" AND (event="file_upload" OR url_path="/api/upload") AND (file_extension="php" OR file_extension="jsp" OR file_extension="exe")